A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.
The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools.
The declaration stated that “uncontrolled dissemination” of spyware offerings contributes to “unintentional escalation in cyberspace,” noting it poses risks to cyber stability, human rights, national security, and digital security.
“Where these tools are used maliciously, attacks can access victims’ devices, listen to calls, obtain photos and remotely operate a camera and microphone via ‘zero-click’ spyware, meaning no user interaction is needed,” the U.K. government said in a press release.
According to the National Cyber Security Centre (NCSC), thousands of individuals are estimated to have been globally targeted by spyware campaigns every year.
“And as the commercial market for these tools grows, so too will the number and severity of cyber attacks compromising our devices and our digital systems, causing increasingly expensive damage and making it more challenging than ever for our cyber defenses to protect public institutions and services,” Deputy Prime Minister Oliver Dowden said at the U.K.-France Cyber Proliferation conference.
Notably missing from the list of countries that participated in the event is Israel, which is home to a number of private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa (Cytrox), NSO Group, and QuaDream.
Recorded Future News reported that Hungary, Mexico, Spain, and Thailand – which have been linked to spyware abuses in the past – did not sign the pledge.
The multi-stakeholder action coincides with an announcement by the U.S. Department of State to deny visas for individuals that it deems to be involved with the misuse of dangerous spyware technology.
One hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. On the other hand, they have also been routinely abused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members.
Such intrusions typically leverage zero-click (or one-click) exploits to surreptitiously deliver the surveillanceware onto the targets’ Google Android and Apple iOS devices with the goal of harvesting sensitive information.
That having said, ongoing efforts to combat and contain the spyware ecosystem have been something of a whack-a-mole, underscoring the challenge of fending off recurring and lesser-known players who provide or come up with similar cyber weapons.
This also extends to the fact that CSVs continue to expend effort developing new exploit chains as companies like Apple, Google, and others discover and plug the zero-day vulnerabilities.
“As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large,” Google’s Threat Analysis Group (TAG) said.
An extensive report published by TAG this week revealed that the company is tracking roughly 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days in Google Chrome (24), Android (20), iOS (16), Windows (6), Adobe (2), and Mozilla Firefox (1).
Unknown state-sponsored actors, for example, exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. The flaws were patched by Apple in April and May 2023.
The campaign, discovered in March 2023, delivered a link via SMS and targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1 with an aim to deploy the BridgeHead spyware implant via the Heliconia exploitation framework. Weaponization by Variston is a high-severity security shortcoming in Qualcomm chips (CVE-2023-33063) that first came to light in October 2023.
The complete list of zero-day vulnerabilities in Apple iOS and Google Chrome that were discovered in 2023 and have been tied to specific spyware vendors is as follows:
“Private sector firms have been involved in discovering and selling exploits for many years, but the rise of turnkey espionage solutions is a newer phenomena,” the tech giant said.
“CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device.”